Alexander Bokovoy via FreeIPA-users freeipa-users@lists.fedorahosted.org writes:
As discussions on this mailing list show, there are plenty of edge cases, mostly around 'legacy' UID/GIDs and missing ID ranges that would have covered those IDs. Or ID ranges missing SID-specific attributes (base RID and secondary base RID) that prevent use of those ranges to generate SIDs. KCS https://access.redhat.com/articles/7027037 describes a lot of those details, so I would recommend reading through it and investigating your ID range configuration based on those details.
Would it be helpful to have ipa-healthcheck or checkipaconsistency warn about that? During ipa-server-upgrade is too late and it runs most of the time in the background...
Jochen "I also needed to fix my id ranges"